Thursday, April 05, 2007

Taking the Fight to the Enemy Revisited

I just read Bruce Schneier's essay Security Matters: Vigilantism Is a Poor Response to Cyber Attack. He's commenting on the news I discussed in Taking the Fight to the Enemy:

As reported in Federal Computer Week, Cartwright said: "History teaches us that a purely defensive posture poses significant risks," and that if "we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests..."

Of course, the general is correct. But his reasoning illustrates perfectly why peacetime and wartime are different, and why generals don't make good police chiefs.

A cyber-security policy that condones both active deterrence and retaliation -- without any judicial determination of wrongdoing -- is attractive, but it's wrongheaded, not least because it ignores the line between war, where those involved are permitted to determine when counterattack is required, and crime, where only impartial third parties (judges and juries) can impose punishment.

In warfare, the notion of counterattack is extremely powerful. Going after the enemy -- its positions, its supply lines, its factories, its infrastructure -- is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty...

I'm glad General Cartwright thinks about offensive cyberwar; it's how generals are supposed to think. I even agree with Richard Clarke's threat of military-style reaction in the event of a cyber-attack by a foreign country or a terrorist organization. But short of an act of war, we're far safer with a legal system that respects our rights.
(emphasis added)

I think Bruce is wrong on two counts. The first requires you to decide if you think the United States is currently engaged in "cyberwar." I think we are close enough to cyberwar to authorize deterrence and offensive activities. The FCW article Bruce cites also said the following:

The Stratcom commander told the committee that the United States is under widespread, daily attacks in cyberspace. He added that the country lacks dominance in the cyberdomain and that it could become “increasingly vulnerable if we do not fundamentally change how we view this battle space.” (emphasis added)

The term I highlighted is important and it may not be significant to those without .mil experience. Dominance of the battlespace is a tenet of American warfare. It's the reason we are very good at obliterating enemies (and probably less good at rebuilding them). (Note: please spare me any political responses here. I am not trying to make a political statement. I am speaking based on wearing a uniform for 11 years and the doctrine and training associated with that experience.)

For example, various states of control describe how the Air Force views warfare in the aerospace domain:

  • Air parity: control of the skies only above friendly troop positions

  • Air superiority: control whereby friendly forces can act without prohibitive interference by the opposing force

  • Air supremacy: a degree of air superiority wherein the opposing air force is incapable of effective interference


Based solely on open source threat reports (open source meaning in the press and unclassified, not OSI licensed!), the Air Force (and the entire .mil/.gov) doesn't even have "air parity." This means we are losing the battle in a domain that the Air Force, military, and national security apparatus considers crucial. The Air Force and DoD are acting because we do not even have control of our own "airspace." I'm looking forward to seeing what the Air Force Cyberspace Command does later this year when activated.

The second reason Bruce is wrong involves his excessively pacifist attitude. He says "going after the enemy... in peacetime [is] revenge." This is not true. Police forces routinely run sting operations, raid suspected crystal meth labs, and take plenty of other offensive activities to remove threats before they continue to perpetrate their crimes. Police also patrol the streets, projecting force and control and deterring crimes.

While I agree that the military is not a police force, the military is currently the only force with the ability to take the fight to the enemy. Police forces are barely able to address a limited number of defensive investigations. They have zero capability to run anything other than "to catch a predator"-type sting operations.

The bottom line is we losing the battle in cyberspace and something has to change. We cannot code, block, or patch our way out of this situation.

16 comments:

Thomas said...

Challenging your argument that we can't "block or patch our way out of this situation":

The Air Force has Air Supremacy because of the way it's designed. However, but for the JDAM securing the USAF's fixed-wing close air support role, the joint service agencies would not necessarily have Supremacy.

Without an effective close-air support role for the USAF, control and use of airspace would fall more heavily on helicopter gunships. Parity/Superiority/Supremacy-wise: aren't gunships less commanding? Can't guerillas just knock them out of the sky?

The USAF, Army, Navy, and USMC: network, host, code, cryptography. DECISIONS made to allocate roles and resources in the different agencies and settings grant supremacy or yield parity.

Bringing this back to security: you're advocating a change to the rules of engagement for how we handle "enemies" in cyberspace. You're basing this on the empirical evidence that network, host, code, and crypto are failing under the current rules.

But we can change more than the rules of engagement. We can also re-evaluate how we allocate security --- budget, mindshare, user interface conveniences and concessions, time, and effort --- among the different settings in which security is implemented.

I'm not convinced that we can't make a dent in the problem just by shaking up where we stick the countermeasures.

Richard Bejtlich said...

Thomas, I see where you're coming from. However (and this doesn't relate to cyberspace) the Air Force is perfectly capable of achieving air supremacy without much (if any) help from the other services. The Air Force is not going to take or hold territory with airpower but it can (and does) completely control airspace with airpower alone.

Thomas said...

Well, you've got all the warfighting doctrine mojo; I just have what I read in The Atlantic. So let me ask: does the USAF have "Air Supremacy", or does The United States?

If it's the former then what you're saying makes sense.

If it's the latter then you're talking about "potential"; "actual" Supremacy depends on the decisions the commanders make about how to allocate and exploit that potential.

Richard Bejtlich said...

Hi Thomas,

If we want to speak properly we would probably say the Joint Forces Commander for whatever theatre of war has established air supremacy. The JFCC would probably rely on the Air Force for that mission, although Naval air power could also be used. All fights these days are Joint with the uniformed services acting as force providers to the JFCC.

jbmoore said...

Aircraft are at the mercy of the terrain and the elements. The USAF is likely not very keen to deploy expensive systems during severe fog or other weather conditions, especially in the hilly terrain of Afganistan which is why the Army and USMC like to have artillery close by.

Likewise, it's okay to attack a system under some conditions such as if that system is within your corporate network. Often though business and economic decisions overrule security decisions. Until IT security is seen to be as important as physical security, then IT security will suffer and the suffering will continue. Also, one must secure one's airspace before one hopes to secure the enemy's airspace. Likewise, we need to secure our network and computer infrastructure before we have any hope of cleaning out the bad guys elsewhere. Otherwise, for every bad guy you remove, someone else will take his place. You'll be playing whack a mole in cyberspace.

My security group rather than protect the employees will be there to protect the company and terrorize the employees. Our company's AUP policy states that people may not use company IT assets for personal use including online shopping and the use of streaming media, yet, nothing is blocked at the web proxies. Instead of putting in place access rules to prevent misuse of resources and protect the majority of employees from themselves, eveything is pretty much wide open. Then my group will have to sift through all that noise to find the really bad apples. It's totally insane policy. Now you want to muddy the waters by playing cyber warrior and going after say botnet operators. Wouldn't you want to take away their bots first to weaken them since it's impossible to take out their command nodes now since they've gone P2P on their Command and Control? You can't go to war without the capacity to wage the war and we aren't there yet. Likewise, you need to pick your fights carefully, or you'll do more harm than good. I'll bet most of these generals are clueless on how to fight such a war, so they're advocating such a stance now in order to learn. The problem is that they'll inadvertantly strengthen their enemy as well. Military History is replete with examples of generals and admirals ignoring technology and intelligence to their detriment. Custer had muskets against repeating rifles and he left his machine guns behind. We know how that turned out.

The current tools and tech provide both sides with a level playing field. Then it becomes a game of skill. We have a poor track record training Stonewall Jacksons and Pattons. We generally end up fighting wars of attrition instead of manuever. You can say that Vietnam and the current engagements were manuever wars, but we were attrited out of Vietnam and the jury is still out on Iraq. Do you really want to start something ( a cyberwar ) we might not be able to finish?

Chris said...

"losing the battle in cyberspace"?

This is missile gap FUD with a propeller beanie.

We're at war alright, but somehow I doubt that Iraq or Afghanistan are formidable threats to our critical domestic communications/networking infrastructure.

A nation that is, for example, is China. Should we develop skills in our military to deal with what such an adversary might do? Yes. Should the DoD deploy its own systems with an eye toward resilience against the measures such a threat might take against them? Yes. Should we attempt to maintain an awareness of the inclinations of such a threat, and its likelihood to act? Yes. Does this have anything significant to do with what is currently being thrown at "our" networks right now? No.

Richard Bejtlich said...

jbmoore:

You said:

Aircraft are at the mercy of the terrain and the elements. The USAF is likely not very keen to deploy expensive systems during severe fog or other weather conditions, especially in the hilly terrain of Afganistan which is why the Army and USMC like to have artillery close by.

You're thinking in terms of air-to-ground operations. Air superiority/supremacy pertains to the air. The Army and Marines are not going to shoot down opposing aircraft with artillery. They have it to attack ground forces, which is what you mean.

AFDD 1-1 (.pdf) is helpful for understanding this difference. It states on p 76:

Superiority is that degree of dominance that permits friendly land, sea, air, and space forces to operate at a given time and place without prohibitive interference by the opposing [air] force. Supremacy is that degree of superiority wherein opposing air and space forces are incapable of effective interference anywhere in a given theater of operations. (word added, emphasis added)

I added the word [air] to the first sentence because it is clearly implied by the second sentence, and elsewhere in the document.

You make another point:

[O]ne must secure one's airspace before one hopes to secure the enemy's airspace.

This is not necessarily true. If you do not destroy enemy aircraft, when you enter enemy airspace you have to contend with their aircraft and their surface-to-air missiles (SAMs). If you destroy their aircraft -- over your terrain or theirs -- you gain air supremacy over your airspace and air superiority over their airspace. Once you knock out their SAMs you gain air supremacy over their airspace too.

My point with that last paragraph is I agree with the idea of taking the fight to the enemy. We can't gain even air parity by trying to fight "over here," which is another word for fighting via defensive, vulnerability-centric techniques, all doomed to fail.

Regarding clueless generals, I have faith in at least one: General Hayden, currently Director, CIA. I worked for General Hayden at AIA. He absolutely understands the fight.

Richard Bejtlich said...

Chris,

So you think we're "winning the battle in cyberspace" instead?

You said:

Should we develop skills in our military to deal with what such an adversary might do? (emphasis added)

It sounds like you haven't been paying attention to the news. "Might do" is wrong. Try "has done" and "continues to do".

The more you know about this situation the worse it is, not better. Unfortunately I do not see anyone in authority willing to speak officially on this matter.

jbmoore said...

Richard,

You have to have people on the ground to take the territory. Air superiority is the ideal for unhindered operations against an enemy, especially air to ground operations since in all likelihood there are few aerial targets left, hence the superiority designation ( am I missing something? - maybe I am confusing it was air supremacy). However, the Germans launched the Ardennes Offensive in December 1944, during bad weather when the US Army Air Corps had complete air superiority rendering the air superiority moot until the weather cleared.
Air forces must have secure bases of operations to achieve their goals. England was secure and a launch point to achieving air superiority against Germany. Likewise Pacific Theater bases were secure against Japanese incursion allowing us to firebomb them at will. In spite of this, the US Navy suffered grievous losses due to kamikazes at Okinawa, but our air bases were untouched. Our civilian cyber infrastructure is not anywhere near secure. And who knows about the military? Secrecy hides incompetence as much as it does important secrets. I'm all for cyberwar if a real war breaks out, but we have not defined the enemy yet and we have much to lose. I suppose that our government is attacking other governments' systems as we speak. That's politics. It's allowed in hot and cold wars. But to use the military in a law enforcement function does a disservice to the military. The military cyberwar capacity is there to take out the foreign cyberwar operatives and their equipment and hurt the other country's will to fight. It's not there to catch criminals or bring them to justice.

Richard Bejtlich said...

Hi jbmoore,

Again I understand what you're saying, but there's a difference between taking enemy territory and controlling their airspace. One example that comes to mind was the no fly zone(s) over Iraq prior to the invasion in 2003. Coalition aircraft exercised air supremacy in these zones over Iraq despite the fact that they did not control the land territory.

You said:

[W]e have not defined the enemy yet and we have much to lose.

This is not true. It may not be exceptionally public, but it's not true.

You also said:

The military cyberwar capacity is there to take out the foreign cyberwar operatives and their equipment and hurt the other country's will to fight. It's not there to catch criminals or bring them to justice.

I agree with that. Who said the military was going to take out some Romanian carder or bot herder? Leave that to the police.

a_lex (a_lex1985-AT-mail.ru) said...

"This is not true. It may not be exceptionally public, but it's not true."

And this is an exceptionaly interesting comment.

So there is a large entity, maybe even a government, that currently mounts IT-attacks on U.S. military on a scale that actualy makes the US consider it an actual "enemy".

However, the information is not "exceptionally public", so in this scenarion the U.S. public can not obtain reliable, consistent info about the "fact" that currently there is supposed to be some kind of an "IT-enemy" (large organisation, government or smth. of that scale) waging an "IT war" against U.S. by mounting hight-tech attacks on U.S. infrastructure, right?

There is something terribly wrong with this scenario, and it it has nothing to do with the state of U.S. infrastructure, ITSec or strategy of computer network-bound threat response.

Chris said...

Rich:

I do not think we are winning the battle for cyberspace because there is no battle (except as a metaphor).

I have no problem with preparation. I do have a problem with those who would call a skirmish a battle, or a battle a war, especially if the speaker has stars on his shoulders.

I know about Titan Rain. Unless the closed mouths you refer to are willing to speak up, I want them to get exactly zero of my tax dollars for fighting (NOT preparing to fight) what, on the evidence available, is a phantom. You'd think that asking for evidence before committing resources to a battle would be, as a previous observer on causus belli recently observed, a "slam dunk".

Let's see it, then.

Anonymous said...

nice post. using more examples such as war strategies .. wud be a bonus for all sec's staff

Rob Lewis said...

Richard,

You are right when you say " something has to change", but wrong when you say that " We cannot code, block, or patch our way out of this situation".

This is the work that we do, and we convert commercial IT systems into trusted ones with manageable user-centric, default deny ones, with full MLS, MAC, and tamper proof auditing. We provide access and audit control at the the data level, so if our Chinese friends are not on the white list, they get nothing, period. The trusted computing aspect prevents escalation of privileges; we can separate root user from the system.

You may not believe our claims, and that is alright, Perhaps though, you should prove that they are untrue, or provide opportunities for claim validation before you say that something can not be done. Otherwise, when something innovative that can help with positive change comes along, the prevailing mindset will prevent consideration, leaving us with, by default, the status quo.

Anonymous said...

Red storm rising: DOD’s efforts to stave off nation-state cyberattacks begin with China

Richard Bejtlich said...

I mentioned Gen Hayden earlier. I forgot to mention Col Gregory Rattray, commander of the 318th Information Operations Group.